Abstract
Studies establish that cybersecurity executives face complex difficulties from constantly shifting risks due to the role's scalability and increasing responsibilities in this cyber-revolution. Cognitive and emotional aspects can influence change and decision-making, especially during times of heightened anxiety and evolving change. Through qualitative study and interpretative phenomenological analysis design, this research offers how leaders' 16-hour or more per-day working schedules affect the companies' readiness, how working hours affect leaders' resilience, and whether leadership traits like longevity, tenure, and other similar characteristics should be considered when estimating cyber risk insurance. This study aims to strengthen the defense-in-depth perimeter by providing a means to proactively identify factors that align with an enhanced approach to better estimate appropriate cyber liability coverage. Beneficiaries of this research are cybersecurity leaders and practitioners, academia, organizations that employ cybersecurity, and cyber risk insurance brokerages.
TopIntroduction
Cybersecurity leadership has become indispensable, characterized by relentless and ever-evolving cyber threats in today’s digital age. The relentless onslaught of cyberattacks poses a multitude of challenges that often outpace existing defensive measures, necessitating strong leadership in the realm of cybersecurity (Deloitte, 2023; Badhwar, 2021; Burrell et al., 2020; Burton, 2023). This chapter explores the critical importance of cybersecurity leadership and the complex issues cybersecurity executives face in the face of rapidly shifting risks and escalating responsibilities brought about by the cyber revolution.
The Geneva Papers on Risk and Insurance: Issues and Practice (2022) report that cybercrime is assessed as having cost the global economy slightly less than $1 trillion in 2020, denoting a surge of over 50% since 2018. With the typical cyber insurance claim escalating from $145,000 in 2019 to $359,000 in 2020, the need for better intelligence around cybersecurity factors persists (Cremer et al., 2022; The Geneva Papers, 2022). Research indicates that the ability of cyber leaders to operate at peak performance directly impacts organizational readiness (Nobles et al., 2023). According to a 2020 Tessian and Stanford University study, human error was the primary cause of 88% of data breach events. Distraction was identified as the primary cause for falling victim to a phishing scam by over half (47%) of respondents, while 44% attributed their vulnerability to sleepiness or stress.
Cyberattacks have become increasingly frequent and sophisticated, resulting in annual losses totaling billions of dollars (CISA, 2022; Kaminska, 2021; Shandler et al., 2023; Snider et al., 2021). High-profile cyber incidents, such as data breaches and cyberattacks, have exposed organizations to significant aftermaths and cybersecurity challenges (Burton, 2023; Cavares et al., 2023; Nobles et al., 2023). Consequently, cybersecurity leaders grapple with exhaustion, excessive workloads, and needing to be on call (Gartner, 2021; Olyaei, 2023). These human factors directly impact an organization’s security posture (Nobles, 2022b).
Cybersecurity leaders face challenges from rapidly advancing technology and evolving risk environments (Badhwar, 2021; Burrell et al., 2020; Cazares et al., 2023; PwC, 2022). They grapple with adapting to the dynamic landscape of cybersecurity risk management governance while experiencing burnout, overwork, and being in a constant “always-on” mode (Gartner, 2022; Gartner, 2021; Nobles, 2021; Nobles, 2022b; Olyaei, 2023). Specifically, CISOs indicated experiencing burnout, emotional exhaustion, depersonalization, and reduced professional efficacy (Reeves et al., 2023).
Key Terms in this Chapter
Emotional Exhaustion: Describes feeling emotionally exhausted due to work. Depleted vigor, emotional tiredness, and depletion characterize emotional exhaustion.
Cybersecurity Capability Maturity Model (C2M2): A voluntary evaluation process that measures the intricacy and sustainment of an organization’s cybersecurity program.
Impaired Professional Efficacy: Individuals may have diminished regarded competence and success in their field, feeling ineffectiveness and perceiving their contributions as insignificant.
Cyber Insurance: This is a specialized insurance product designed to protect individuals and organizations from the financial losses associated with cybersecurity incidents. It can cover various aspects of cyber risk, including data breaches, network security, and privacy liability.
Resilience Engineering Framework: The framework entails understanding and improving an organization's ability to adapt to and recover from unforeseen events such as failures and disruptions.
Job Demands-Resources (JD-R) Model: A psychological model that explores the effect of workplace demands and job resources on employee welfare and performance.
Depersonalization: Refers to cynicism and negativity against stakeholders, inhibited by a deficit of empathy, tendency to see people as objects, and alienation from work are its hallmarks.